more rules for ganeti; try rsa keys

diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 127b30d2d0b026fbe8d41220125bdc082a652afa..d5734dfd7fe97ddf3a668e89baa0a46ce751812b 100644 (file)
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -166,6 +166,7 @@
 %>);
 
 @def $HOST_GANETI_V4 = (206.12.19.213/32 206.12.19.217/32);
+@def $HOST_DRBD_V4   = (192.168.2.213/32 192.168.2.217/32);
 
 @def $HOST_DEBIAN = ($HOST_DEBIAN_V4 $HOST_DEBIAN_V6);
 

diff --git a/modules/ganeti2/manifests/init.pp b/modules/ganeti2/manifests/init.pp
index 9333a8b29444e34b70c9e124a73bc8a7520b6fb1..887d448164a62a379d07a81d67319f10a4545de5 100644 (file)
--- a/modules/ganeti2/manifests/init.pp
+++ b/modules/ganeti2/manifests/init.pp
@@ -21,4 +21,10 @@ class ganeti2 {
                rule        => 'proto tcp mod state state (NEW) dport (1811) @subchain \'ganeti\' { saddr ($HOST_GANETI_V4) ACCEPT; }',
                notarule    => true,
        }
+
+       @ferm::rule { 'dsa-drbd-v4':
+               description => 'Allow ganeti from ganeti master',
+               rule        => 'proto tcp mod state state (NEW) dport (11000-11999) @subchain \'drbd\' { saddr ($HOST_DRBD_V4) ACCEPT; }',
+               notarule    => true,
+       }
 }

diff --git a/modules/ssh/templates/authorized_keys.erb b/modules/ssh/templates/authorized_keys.erb
index 2738aef54c43a2fbc71b0674213b19740891d440..23ee49b72158c2df0de745567e02fc5a13a1a15f 100644 (file)
--- a/modules/ssh/templates/authorized_keys.erb
+++ b/modules/ssh/templates/authorized_keys.erb
@@ -20,7 +20,7 @@ end
 localkeys
 %>
 <%= ganetikeys = case fqdn
-        when "tristano.debian.org", "pasquini.debian.org" then "ssh-dss AAAAB3NzaC1kc3MAAACBAJ2CX2dqGozYF30+/A44SoObQI4/OL17Hyprsxv9UynMsZHdVDckEQFMMp2M80dLOXsVRzC4DGxUoCzj9chZ5m5ZilwNV09hJxcqRlqKsQMZsCwDNhpCZo9sjrmpn2UUQQdAhFivIIeoqfYCwlc4jHoR8Uc1v1Okv4WXDnYINhizAAAAFQDNy8fH4Gd0kErcY9LT+89xPQNq3QAAAIAks1ud/arXFb7FepYZHRv7BzA4wrEiZ0A/3Acp/vR23ph4qEOucWxQC+Bpf4AqNWCctt5p0SYWoEeO78eNvMI/xewaOEBK/lzecPdvlU/bC35HRrfz8jajXto+p7BBo57RzwOauDazrT0VfYifXE1/b2yNrvY6zgU/vkNOa7a/RQAAAIBkS/X7/nOEKl2RyJMSzZFsCn+C1/swAaTrqLCvcA+5OgZow68yy8jpt/MUSmBzVxU+cbAHlgZgF93P3TgXc2jcDKcB4cEJIEyRVWJow6KXY4hygAt7s4Y95rauxanjEJ28bNqdmwktA0LOhJVyVTeY1z2P19jLvVJNSUrSRGU80A== root@tristano.debian.org (ganeti)\nssh-dss AAAAB3NzaC1kc3MAAACBAPozGq+2RqyYgIk9pckBqNd7RgjhAUvnthmj9yAREI6raDCeT7TSY0MpZV0qm7ZW/kL/klHaugSCUCMbZe8EVGnMdFWAP+h8AJMlSHjjNXdq8K/Ulq/Cap1D7zAx+PkEhl9e9XprrAciPffji9Hd3murKS+navZ/YmEDFGq4kSZ5AAAAFQDSHpoCNVsY7WkWocVI7xS1+NtIxwAAAIEA4HpymvPT0htwiGhOz94ARhioo54IwIMdzZwL1dEFlCiPNa07BWwlU034L/hLTMe5+Qc0Jey77FTNVKH0E+MHb8xkC/MtSLMjIZ7POVS0vlc90b3m8yHO/pFFyqtPPlvOoNzeDqo7Wjdb9DQpaQhreHvadAGXFzGT4PdUcKevz/wAAACBAMPdM9wukVM0EHjxMiIQOpunArtWLeT2tiQiABmtiARHn6/3931Cf8lm6k2l3zLZfdoTWvoCE7G0a2YGzBZnC7KmqYGjpRTL4xssGS3pJl+zDsou88t5m+q89ln9z9Og/x6fmNq6onbZE0VmXgMSujEtxcwMAz6kZAGv3Z76d+EF root@pasquini.debian.org (ganeti)"
+         when "tristano.debian.org", "pasquini.debian.org" then "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiT6Asr5mK3wR8hjB1gSqJYqWUrQfi1+jtMuZggQcD7VIpabIy0zYSaUP63Oam96BE96qSHUZDEp1EGPoh64rK/9WxGXX/0sRZXJURkOpCO3U2zDAhRbAGqAAYyWS4TPHVUt3g5g+rrHAGgXzc/y2sYChADWJaQ59ga1MyrYGi1VIPAuAaidM01RyFagR1/UmVGP8jCkSD4nGmho4UuFn9Fopnhk5V0YjEEjhjUkPCVe11ckc+fYPiEPFnzgaWJPAycJwF/YmpgjLSKB+mNXqpU4m+jHhpGQ4lK1l0VVf2xOUpbN74uOxThtwPSpgIyq3eG99PkbBGUUweIcSTsZ8h root@pasquini.debian.org (for ganeti)\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC44glHFs5fdojQOUZaR1xwORfVxpmthmjOBgahz3RTCYzX8g0Y4v3rSBTiFOUzgfaY1qyHJX94HDzIq95Unig5ZHZZ2q0V3m3ksIiMQQbiElIqH4w7Yrqc2PICkjzttGwCziNUCIvxuy9pnKqRkpzx4TmorEVhRBjGTM0iAimWcZ5bpZ1E2nWHVtvsMs5nQziRdAiG8hoE2UKzQbpf+AeltZPSIw2LVEAdTmmEWrmyLGaIWY2R5lirwPOTbZsfpLDUD3CLntZbqCFoTOb1xuWvf0SdmpChY7cigaFgwz+ozATxFuLqdW9/YTa/fP1uvid3rSvHkNgojndm0S3/sYTh root@tristano.debian.org (for ganeti)"
 end
 ganetikeys
 %>